Australia's new data breach laws require businesses and government entities to disclose hacks and leaks that cause "serious harm", with fines of up to $2.1 million for those who don't comply, but experts say the agency responsible for enforcing them may not have the resources to do so.

The Notifiable Data Breaches (NDB) scheme — which came into effect on Thursday — is likely to cause a swell in reported breaches. Former NSW Deputy Privacy Commissioner Anna Johnston, now head of Sydney-based private consultancy Salinger Privacy, questioned whether the Privacy Commissioner could enforce the new laws, considering it hadn't been allocated any new funding by the Turnbull government.

Outgoing Privacy Commissioner Timothy Pilgrim.

In an interview with Fairfax Media, Privacy Commissioner Timothy Pilgrim — who recently announced his retirement — did not deny it would be tough to keep on top of the office's growing caseload, revealing there were already long wait times for existing matters in his office.

"I haven't received any additional funding to date for the Notifiable Data Breaches Scheme," Pilgrim said. "The allocation of funding — resources to government agencies, as you would understand — is a matter for government.

Advertisement

"What I will need to do, in the absence of any additional resourcing, is take a priority approach to all our work, and ensure that we're dealing with those issues which are identified as being the key priorities," he said.

A new survey conducted by GfK Australia in January for Canon's Business Readiness Index revealed that three in five businesses that will be affected by the new legislation are unaware of it and what it means for them.

Under the existing voluntary scheme, 120 notifications of data breaches were reported by businesses and government this financial year, but mandatory schemes launched overseas indicate that number will balloon substantially. Within the first 100 days of the Dutch Data Protection Authority's scheme being launched, for instance, it received about 1000 notifications.

Under the Australian scheme, organisations need to notify affected individuals and the Privacy Commissioner about eligible data breaches when there is unauthorised access to or disclosure of personal information held by an entity that is likely to result in "serious harm" to any of the individuals to whom the information relates.

Pilgrim said that, despite some fears companies would continue to cover up breaches, the new laws provided a large enough fine to deter this.

"I can't answer whether there is a culture of cover-ups at all. I think that the regulation will have an effect [and] that it will change some organisations' attitudes to reporting breaches ... because at the end of the day there are penalties applicable should they not be quick on meeting requirements."

Pilgrim ruled out publishing a "name and shame" list that identified companies that have suffered breaches, but said his office would review this in 12 months.

"For the first 12 months, we will be providing statistical information on the number of breaches," he said. "We won't be publishing every breach at this stage."

And he reminded organisations that even if they reported a breach, they could still be liable for fines if they suffered repeat breaches or were egregious in protecting information.

In the last financial year, Pilgrim's office recorded a 16 per cent increase in the number of privacy complaints and investigations. It also recorded an approximately 26 per cent increase in the number of freedom of information review applications.

"We do have a waiting time for some of those complaints, but we are also able to demonstrate that, year-on-year, we've also increased our output," Pilgrim said.

One thing the commissioner hoped wouldn't come out of the breach scheme was "notification fatigue", where consumers get too many notifications that they miss out on the important ones and don't take steps to protect their information as a result.

And while he only supported civil financial penalties being applied to entities for now, he didn't rule out his office recommending criminal penalties in the future.

Loading

Johnston, the former NSW Deputy Privacy Commissioner, said a lack of new funding for new government laws, such as the new data breach notification scheme, often indicated how serious government was about enforcing new laws.

The Office of the Australian Information Commissioner (OAIC), which the Privacy Commissioner sits in, was allocated a budget of $14,327,000 this financial year. It employs 86 people, 48 of whom are dedicated to its privacy functions and 18 towards freedom of information reviews.

Like most other agencies, the OAIC is also subject to the government's "efficiency" dividend, which sees funding cut by between 1.25 and 2.5 per cent each year.

Apart from funding, Johnston also questioned what the likelihood of fines being applied would be, and pointed to whether the fines were high enough. Europe's new General Data Protection Regulation scheme places fines of up to 20 million euros ($31.4 million) or 4 per cent of global turnover, whichever is higher, on companies.

"Those penalties are squarely aimed at big business, which might otherwise shrug off smaller fines as the cost of doing business," Johnston said.

Dr Jon Oliver, a director and data scientist at computer security firm Trend Micro, said notification to the impacted individuals "may prove a very challenging task for smaller companies" who didn't have the expertise to contact all affected individuals.

Bede Hackney, the ANZ country manager at computer security company Tenable, said one of the positive outcomes of the new laws would be that we would start to get an understanding of the real size of the data breach problem.

"There's no quantifiable data in Australia at this point," Hackney said, adding that Australian companies were somewhat unprepared for the laws. "Adequate protections in some organisations are simply not in place, but this is out of naivety rather than intent."

Brian Fletcher, a director of government affairs at Symantec, said the rising cost of a data breach and increased reporting requirements would likely result in "increased cyber insurance uptake by private companies".